Analysis Overview
SHA256
ad9a2790803eb17a4e3977c514c4ca98e520cb38f00f8103ee5f2cc1ed209b47
Threat Level: Known bad
The file Memory.vbs was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Blocklisted process makes network request
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Modifies registry class
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-30 10:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-30 10:56
Reported
2023-04-30 10:59
Platform
win7-20230220-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\System32\WScript.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\Desktop\SubmitUpdate.ps1"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\SubmitUpdate.ps1"
C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps1
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResumeWait.css
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.0.355683166\1439975545" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1184 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bd52bb5-877f-4dbc-ad78-3efb17012623} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1280 13a1a558 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.1.1983110839\2001939041" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6844763e-1e12-4d28-8e63-84124af3e7ac} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1476 e6f558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.2.1475014733\127366613" -childID 1 -isForBrowser -prefsHandle 2000 -prefMapHandle 2016 -prefsLen 21054 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b67035fa-a9f7-4cc8-893b-39a5ce12219e} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1808 19fbae58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.3.1287878395\355019885" -childID 2 -isForBrowser -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cd0de9d-6fea-42ba-8e6e-6361e934310f} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 2432 4138f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.4.1165467229\1441273700" -childID 3 -isForBrowser -prefsHandle 2772 -prefMapHandle 2768 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72cbba45-d7c9-44b7-a961-8d7099897e90} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 2784 1bcf1758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.5.672143395\642375073" -childID 4 -isForBrowser -prefsHandle 3616 -prefMapHandle 2916 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {533ace37-d913-4f66-ac72-26f99e11762e} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3628 1cbbbe58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.6.910910768\1580800364" -childID 5 -isForBrowser -prefsHandle 1052 -prefMapHandle 3500 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b7a40a9-1a1d-4df9-81dc-22e86304b869} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3616 10cf0f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.7.981082481\1417938795" -childID 6 -isForBrowser -prefsHandle 3908 -prefMapHandle 3912 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {019d1575-50cd-4c65-8b6e-a9a9ef6c37df} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3500 1e041a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.0.377399218\593084186" -parentBuildID 20221007134813 -prefsHandle 1064 -prefMapHandle 1056 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0014f58b-9fe1-49b6-86da-85e1527bba3e} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 1128 f6f0358 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.1.208494050\88516281" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1268 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c22fe55-96e3-4915-b4ac-eae3030b9c58} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 1296 105a0b58 socket
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Old Firefox Data\g9aaxljs.default-release\cert9.db
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.2.1231732284\180934228" -childID 1 -isForBrowser -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 21493 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61a754c9-f1ce-41ed-95f1-e36dd07f0238} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 2336 1a156c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.3.2104324689\1936221637" -childID 2 -isForBrowser -prefsHandle 2512 -prefMapHandle 2516 -prefsLen 21600 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b9f9d1a-3d25-428a-8270-a8b9d1e4b267} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 2500 1ad38558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.4.825854934\262093466" -childID 3 -isForBrowser -prefsHandle 2744 -prefMapHandle 2748 -prefsLen 22682 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {370dabd4-fb5c-4677-ac0e-643bb06132a2} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 2732 1b5dfb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.5.443566454\278560463" -childID 4 -isForBrowser -prefsHandle 3048 -prefMapHandle 2580 -prefsLen 29253 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16332c54-7d89-4ce2-a052-40f20368883e} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 3260 1c447b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.6.1040841536\438826198" -childID 5 -isForBrowser -prefsHandle 2576 -prefMapHandle 3272 -prefsLen 29253 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5261da38-0481-4e53-b6c1-fdf48807ca56} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 3236 1059e758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.7.1994786650\398112011" -childID 6 -isForBrowser -prefsHandle 3508 -prefMapHandle 3144 -prefsLen 29426 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9eadae-bc71-4bdf-99f4-1ee6b9d70570} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 3236 119b0f58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.pl | udp |
| PL | 185.157.81.233:443 | pastebin.pl | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| N/A | 127.0.0.1:49310 | tcp | |
| N/A | 127.0.0.1:49319 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 54.149.234.21:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 35.241.9.150:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 127.0.0.1:49642 | tcp | |
| N/A | 127.0.0.1:49647 | tcp | |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 52.41.179.165:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
Files
memory/1584-71-0x000000001B250000-0x000000001B532000-memory.dmp
memory/1584-72-0x00000000022E0000-0x00000000022E8000-memory.dmp
memory/1584-73-0x00000000029F0000-0x0000000002A70000-memory.dmp
memory/1584-74-0x00000000029F0000-0x0000000002A70000-memory.dmp
memory/1584-75-0x00000000029F0000-0x0000000002A70000-memory.dmp
memory/1584-76-0x00000000029FB000-0x0000000002A32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7449.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\Tar7855.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f429f80f6903d82eb1f6194e6f4c1a7d |
| SHA1 | bcaaaa07e8fc46d1be8b46a4d8ca23466f013d81 |
| SHA256 | 16521a622cb808af84e0cc61c4505bfa11c98060432ade4150f8159221584962 |
| SHA512 | b2b03922bbce74aa1e11722b550db6dbc9cd6a55a3d15132740eece13b55c543929c2dc76992ea283012319404946ffa4302078a3f6f21d6d51cb1638c9b528d |
C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd
| MD5 | 0c4f14db483f17cc1842aa6d7762fe00 |
| SHA1 | 582e6d58bee7b124cd6b0b4d9514f73ce68d374c |
| SHA256 | c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4 |
| SHA512 | d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950 |
C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd
| MD5 | 0c4f14db483f17cc1842aa6d7762fe00 |
| SHA1 | 582e6d58bee7b124cd6b0b4d9514f73ce68d374c |
| SHA256 | c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4 |
| SHA512 | d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 39f9ba615eaca3db8b3d96ef4fa12e91 |
| SHA1 | 5773d78b0f4c3161965169d0fd6f4ab428da15dd |
| SHA256 | 631c4ae8cea0269a16be04d977973a6650060ca403dff3e26d9144cd9c27936d |
| SHA512 | 57d1b9ce1ceb7e75454c8d83ae01a2fe6d8e09603186aaa9b239a1efc6e00ba1178920a21f5fad68e970d5b8d12f9aa4f5aa5cc32e32777ef42a1c81b7f13284 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EDR4AM71O4V3H9V7TWI5.temp
| MD5 | 39f9ba615eaca3db8b3d96ef4fa12e91 |
| SHA1 | 5773d78b0f4c3161965169d0fd6f4ab428da15dd |
| SHA256 | 631c4ae8cea0269a16be04d977973a6650060ca403dff3e26d9144cd9c27936d |
| SHA512 | 57d1b9ce1ceb7e75454c8d83ae01a2fe6d8e09603186aaa9b239a1efc6e00ba1178920a21f5fad68e970d5b8d12f9aa4f5aa5cc32e32777ef42a1c81b7f13284 |
memory/1644-193-0x000000001B0B0000-0x000000001B392000-memory.dmp
memory/1644-194-0x00000000022A0000-0x00000000022A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps1
| MD5 | 5136fb951b17f99d700ee1816764f255 |
| SHA1 | 1ffa5721e100a286752da77bd203ac9d76573eec |
| SHA256 | 4c300f1601a8baa0a9bedf7048f960425ad7e1fe899b0ebded0f5628acdd0743 |
| SHA512 | 29cacc82c91c194a8ca3df15aad8983d57c4bf563b9aec5b74cca0c99c8b42b49ff8ff182c42313ad7aee8d2fe3c2a6819dbcb0bef43eaaa01af53519b986566 |
memory/1644-196-0x0000000002414000-0x0000000002417000-memory.dmp
memory/1644-197-0x000000000241B000-0x0000000002452000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | d78f44afbaad99deea718fe7c42c2367 |
| SHA1 | f6c70e6bf06d38e3aaf4d41651d74cef989d363f |
| SHA256 | afc121866da59521dc3038d962ff6f08f02f2b798e5dbd4a1124acb4839e51d1 |
| SHA512 | 1e8b527945dab2789e205d6d714516fa775600968764de5bf5c5d39a27979edf84200e4a9a4ba9619b4a146548e94e7deabbfd09a2d0cc257743122502392252 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\prefs.js
| MD5 | 580aaebcc2926902dc1a82b71a1c70e5 |
| SHA1 | 844e9d6832ad15e30e1f1e02b2fc1978c3955cf4 |
| SHA256 | 2f8cfc1df1a4d6d9a5a338f79e811bf5e3584e5a62fec47638de62bde69cd5bd |
| SHA512 | 6a3004e1dba88f2d5cf2adda5939379bfdc94fc77557fb28ab116da1056a2982a0d2c3d9f1ad4b9a381917cf801a6edade445f2daa7771945fd30087b90a2086 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d562fce347017aabf34e7455a0564357 |
| SHA1 | e0c551369d24ae8297ed78a0cb21e365cd275867 |
| SHA256 | ede6673cf45ef0869e682fb9db666abd3fd8590000609f2ed5cd3af6f1778c6f |
| SHA512 | 413d5eccc8578f8b00522b4e10b306f86b56f7457b61163ac410162dd6ca5970ebd451a0b731b280fcaa98af0daad0309c8be6ac5ea750f7cf459fa4c3265d5a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore.jsonlz4
| MD5 | 6702e13c604c2eb0f0b913c02164fd4a |
| SHA1 | b2b75b353d88fc618696eaf9a5f216660f3b87be |
| SHA256 | 645973b1f03c8050eda4c452cd7231c91ad223df66e50a5d0c8b7565b425f1f0 |
| SHA512 | 0e93ba7e4fcf7d15629ff3ea7581422f35da02102461f0e6285d59443b52890ec17b11e7687511734ebf8c23f98a802800f2a0ab4c2e5fe4ef93379065ce45bd |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\sessionCheckpoints.json
| MD5 | ea8b62857dfdbd3d0be7d7e4a954ec9a |
| SHA1 | b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a |
| SHA256 | 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da |
| SHA512 | 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionCheckpoints.json
| MD5 | ea8b62857dfdbd3d0be7d7e4a954ec9a |
| SHA1 | b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a |
| SHA256 | 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da |
| SHA512 | 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore.jsonlz4
| MD5 | 6702e13c604c2eb0f0b913c02164fd4a |
| SHA1 | b2b75b353d88fc618696eaf9a5f216660f3b87be |
| SHA256 | 645973b1f03c8050eda4c452cd7231c91ad223df66e50a5d0c8b7565b425f1f0 |
| SHA512 | 0e93ba7e4fcf7d15629ff3ea7581422f35da02102461f0e6285d59443b52890ec17b11e7687511734ebf8c23f98a802800f2a0ab4c2e5fe4ef93379065ce45bd |
C:\Users\Admin\Desktop\Old Firefox Data\g9aaxljs.default-release\addonStartup.json.lz4
| MD5 | 59dcce454c0c0a82b845fef9edd61e5e |
| SHA1 | 847355725e6a4973d5a13891c5a2eb8f2c87c411 |
| SHA256 | 78b13cf29159018bce25348928a06f9a11a2974ba00bb920a1759331c82a1c74 |
| SHA512 | b133df155cde99ba5ba45d319e14f37cebf14a82e419883debb6991ea7e2886e05575ad6b5c5bc293dcfee2fb5eb0c00ac8fa3ef090047068a9ac2687e26e36f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\addonStartup.json.lz4
| MD5 | 59dcce454c0c0a82b845fef9edd61e5e |
| SHA1 | 847355725e6a4973d5a13891c5a2eb8f2c87c411 |
| SHA256 | 78b13cf29159018bce25348928a06f9a11a2974ba00bb920a1759331c82a1c74 |
| SHA512 | b133df155cde99ba5ba45d319e14f37cebf14a82e419883debb6991ea7e2886e05575ad6b5c5bc293dcfee2fb5eb0c00ac8fa3ef090047068a9ac2687e26e36f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\E78E3F76C38A478389988CA4F4C125CDF3D80965
| MD5 | 2d68e5101d94bc1a94545190a6927293 |
| SHA1 | 05fa54bf7f847f3e227ec6b6c9cc9663e21caebc |
| SHA256 | 09a58b57f60d36c1c2cfa0a563ddcede96c2003e47112742fc88aec262515cfb |
| SHA512 | dfb35d01aec8711fe3137b031e12e8164ef6f466f430bcced19bde2c43285aefe0913446f507851b80aa8f3e8b6e342575053ea63963fb9b9ac9d7a4108e5696 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\9648808B6C63CD1AAD97A7B68F84F35C95682143
| MD5 | 43e1435d4eb0933972719453cd4942f1 |
| SHA1 | 5bee7c682a074587979aa1d852beefc3da62575e |
| SHA256 | 0033c93abf7465a58ddbbe1e946f74e273b1b179d0d6ae3e0b825839f56c097b |
| SHA512 | 8857e58329f9abf9b83d2e14cb33e58fc04d359416ddbe71b564036cbc74d1849a077163db5e72376a5de334402d38782b562fb64d9247a2aa77239f71f67f98 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
| MD5 | d03b660c08d1e3d97d4ac95573f7166e |
| SHA1 | 0446f49236afceb1345ea6dc12ae84fd793904d2 |
| SHA256 | b0715af9e152177d6273d233dd3ab5bff46e9aa25d9e8c442fd8d552fe940591 |
| SHA512 | a3047208ee4c99f5ed98ec0628e46e57ecd6e371a86c767a9d0545d3b4a9e4098f04f8bbefb8748ff4d20a51ea074a413cf92172e69cdde710336c4f6cbf614f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\38FF788A718C79DDC3D1E23EAA975517D9BA3BB0
| MD5 | 99d167315a03942df010eb064c51ae36 |
| SHA1 | 00067968427a8ac0b7f0e87de4713f0ef94bfe45 |
| SHA256 | 53b4c3d392d32e012840fa90d1092f9bd4d6abe8e144d5132d7d2c8a565c5ecb |
| SHA512 | 1e626d1fa1147a6a8e1622d47b31014a25eb8ae0026a612fef9f2fa4dbf2755792cd95869a5e2de7b793cceae649e0789270c710c7482b60d314fc210df79fcd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
| MD5 | ebc623262a276ee5884ea538dc98d0a1 |
| SHA1 | 9e36db6690a1da19085053730757682da401467c |
| SHA256 | 331a0fcf626d52219e0a97cd79c83e423e0325b134a696fc99c82b49b1cc1901 |
| SHA512 | 2ae5da7e05bbc2cba40fcbe5f6d3385fb44935814424bcb650ca0457d962deb3a6a4c6f2e21d020544b5421e971370ac0c0aa552323404ab8d3d2fea4ccd4699 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\250EE2BC03AFF526F1A1C3DB212A79DE3EB60D5E
| MD5 | 8316df323309fe187d32c610792d0a83 |
| SHA1 | 9fe0792eb7fdea3012434040725b3a908143aae5 |
| SHA256 | 40b871911938ac8bab3d192892c8c5e5e4265911efecc0b005b3c6f305624106 |
| SHA512 | ec7d84b036897636997066f7c6ad01ca3b2647a78a7c5aedc6af9965084697801fe2c1a7155307d21b09f07611f8cb729dc857271e01256276414160ed48002d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | d78f44afbaad99deea718fe7c42c2367 |
| SHA1 | f6c70e6bf06d38e3aaf4d41651d74cef989d363f |
| SHA256 | afc121866da59521dc3038d962ff6f08f02f2b798e5dbd4a1124acb4839e51d1 |
| SHA512 | 1e8b527945dab2789e205d6d714516fa775600968764de5bf5c5d39a27979edf84200e4a9a4ba9619b4a146548e94e7deabbfd09a2d0cc257743122502392252 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\activity-stream.discovery_stream.json
| MD5 | d1d9d229d644f201038881ffb3d2736e |
| SHA1 | 251e6dab646450ded1dcf2804fa6d32ba87caba8 |
| SHA256 | 819c16770d108d85be02ef1acf0c3dcc703ee2710001651175a655c8d4aea9af |
| SHA512 | 9e0f1c10ebaa2af2c8b9144bb7e6bfa6dc29bb7fc71929643a4e3bdf9bf8535657c74a6bd8467a5fd2f08ef6c05d8cb7799aacbc43b8294d7f8594c265ae425e |
C:\Users\Admin\Desktop\Old Firefox Data\g9aaxljs.default-release\crashes\store.json.mozlz4
| MD5 | a6338865eb252d0ef8fcf11fa9af3f0d |
| SHA1 | cecdd4c4dcae10c2ffc8eb938121b6231de48cd3 |
| SHA256 | 078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965 |
| SHA512 | d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\crashes\store.json.mozlz4
| MD5 | a6338865eb252d0ef8fcf11fa9af3f0d |
| SHA1 | cecdd4c4dcae10c2ffc8eb938121b6231de48cd3 |
| SHA256 | 078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965 |
| SHA512 | d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\startupCache\scriptCache-child.bin
| MD5 | 67f22f27223d6a2da3760b5cf1a92340 |
| SHA1 | 70ec506cdbb71d9777baca2232c1ac27d9ea4c93 |
| SHA256 | 4cdd33a28c637663c53970683497e24af6acd0f8e3c8611b65caa3cff47bacd4 |
| SHA512 | aa218e6a5d52e175abd10da7fb2fcaa59aa1313acfdde24d8732554f8c036a540af8eb3660475b3b403494185e1a509cf42b3fce492b03b76e44d313ee2460ba |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\startupCache\startupCache.8.little
| MD5 | 4f83f6c96a302beaca0b28cd463334dd |
| SHA1 | 7ffe2c2050987517134cc27417f6806cdceed9d2 |
| SHA256 | 62e5a4f573e3e97d400d7fc2b1b190e5319a5299c25efaccb527458b83956645 |
| SHA512 | 47e83001b5f15fb22a060f3b8641dce67856ced4393ae2c6c03f6fb38fe90c8b53608b4635fa3ac87714fdbf0c1a1774c0aa261238fa2f7bd686bf1eef048d76 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\startupCache\scriptCache.bin
| MD5 | 73a366e845038263c490ffb092e82423 |
| SHA1 | 12680da9656c65914c7fa5fe4a17373b17672f8d |
| SHA256 | 1ec929e8aba4787b56907fb963eca22f3fb30e32d312fbbcc97260040a316ea4 |
| SHA512 | ecf469302ddd2d61d4b87470363b0c2e1e26df049a5a0e1d2e31ff72570da55ce87725e85aa709356ae2803eae6ac4671023c9bce384d5874f4355da2d4c0c0c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\startupCache\urlCache.bin
| MD5 | 3d60125048b9cfa0a8b3efd93926061c |
| SHA1 | c75f03b24ce180625cc1ff90c0edb3c7be8dbe6a |
| SHA256 | 833009f721b8fb136546122525536fafa0263bff00ec606762f97d0d6c715f96 |
| SHA512 | dfeab9502ac524ec4262cf970b87942fccfe86eb8773d0498f9373268fac4e69d5ac442588f42ce51daebc1b3acf42afce1b8a5547a71e43a2d2f637aa828bde |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
| MD5 | 5c3b3d0b5f8bdf86259ea405a76e5e8a |
| SHA1 | 686b4d30930f08246ef7604b8db9db56210eaf6e |
| SHA256 | 5e68e79aabab2cfd7206f08f6414508fbda7b3380b27dcc68ef91803e21e70ef |
| SHA512 | 9979b17f4701c876f0ef4d3d7293948a296477dd5b916239fe238000346d0f96dda9d089ecee80c2480a86daccccbeef893a18d938d0de6391818b5ebc0970ca |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\SiteSecurityServiceState.txt
| MD5 | 0b9408c8752ef9eebc0143cb48d53166 |
| SHA1 | 1a5712cb1e6385ba83e5de2bd5dd89efb855baef |
| SHA256 | 77d004e17508b882bc9aad9956d7a6f69730263f80fc25f53e53f73c481a4da4 |
| SHA512 | e0d9bafbe76adb9c2ac64cc25ad0d784fd1c415ca156a39ab5e17646efd9265921b2010c01729e838e989ae62c3ae3480cf1c0dbe1fa52658c87216072b26b65 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore-backups\upgrade.jsonlz4-20221007134813
| MD5 | 35056e82731b50e23b2c9e85f9b210aa |
| SHA1 | 1bdc6a9a56e41bd3a86d3eeaf7f5d8a97d61ea23 |
| SHA256 | 719e438c7b079b97d969f780b3aeebcee87397c35d54dce3cdcdf3fc82bf1a53 |
| SHA512 | e82a5d99d447fcbd9951445f69cd9339bdf1e1311f28c1c2d26f15dc4d5882499b87f9bb136038c68dd9d27fd84fe442078f923a4c4475286ef749c32b381625 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d562fce347017aabf34e7455a0564357 |
| SHA1 | e0c551369d24ae8297ed78a0cb21e365cd275867 |
| SHA256 | ede6673cf45ef0869e682fb9db666abd3fd8590000609f2ed5cd3af6f1778c6f |
| SHA512 | 413d5eccc8578f8b00522b4e10b306f86b56f7457b61163ac410162dd6ca5970ebd451a0b731b280fcaa98af0daad0309c8be6ac5ea750f7cf459fa4c3265d5a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionCheckpoints.json.tmp
| MD5 | 948a7403e323297c6bb8a5c791b42866 |
| SHA1 | 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0 |
| SHA256 | 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e |
| SHA512 | 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\search.json.mozlz4
| MD5 | 033eb0645837c8b618a593f7b9a72642 |
| SHA1 | cf4c2e7ccaa275ee47cdd945a7bd1f8b57c61172 |
| SHA256 | 3409fd08295094b37673d748a0374cf0afaecf1671188b2ed012626cad67a582 |
| SHA512 | 27dd0743306b0845c06b3be3e3ae2f515777dced4bbf91a4864bb95c5873e2d6351d99be36d4762a2ba8262130c6d139db3f4f5272afb8717e02b09c1e39c2b4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\protections.sqlite
| MD5 | c85d1bbdcb2505d7f5c6bd0dd2b06492 |
| SHA1 | b045492af83bf1549827343014eae43cc0a817d7 |
| SHA256 | a5cbb5daa9ea1b98935ab288b6293bd08abab25a4576a400334c68e6b781c64f |
| SHA512 | 7343830acaff4a89de4a47e71e10f9a99539d075fcfef3ca0d9e9701f6a8fbfbfb8ad342764314a01a171a1acb3b3d5eb404817d40ca5b0a2444c06e8f925f37 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\prefs.js
| MD5 | 580aaebcc2926902dc1a82b71a1c70e5 |
| SHA1 | 844e9d6832ad15e30e1f1e02b2fc1978c3955cf4 |
| SHA256 | 2f8cfc1df1a4d6d9a5a338f79e811bf5e3584e5a62fec47638de62bde69cd5bd |
| SHA512 | 6a3004e1dba88f2d5cf2adda5939379bfdc94fc77557fb28ab116da1056a2982a0d2c3d9f1ad4b9a381917cf801a6edade445f2daa7771945fd30087b90a2086 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\xulstore.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\targeting.snapshot.json
| MD5 | c34daf237836f1858cf33a4d79bd3075 |
| SHA1 | d1f1cfd953dadc6f1d0b394114e65b313294bb7b |
| SHA256 | 390392f4714a7d898de5308b32212f69824742f2ed754a52defb83e055e3e49f |
| SHA512 | 66b6f479cd1ae291cfbe1cd6dcf46124041de425ee9ef5fe2be50ba1e900fd048ce699b3f6e5c67475e398daf3e3006a84821c925c2a7c3ec24cd37c9b0fbabe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 5e5a18eaac548ba3347e3ab67c72a38d |
| SHA1 | a21e26197f207b4fdbbb3efb7b193ad2d98b0ca2 |
| SHA256 | 4bd071dc6a47da7a12ed292bfe405a88a401c441ef562e994799c034193ac6a2 |
| SHA512 | 75e262bbd65f7a17f4a017f96009730df780ba5a19bfb4495437fecd3ee18ff039916729fd505fb9a0f1fd3e29212d0ec9c3141fafda933a44af2010ecc2c7fe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\datareporting\state.json
| MD5 | 3e32e2cc1ed028dd8ff9b06f50a4707b |
| SHA1 | b3910351bd8e13ad1479db699cf6fac6544a5bef |
| SHA256 | 4a3a666d98e61b5fe06fecac56807137a0fffb4bb71d4c3b16baa8702dde738c |
| SHA512 | 4585ee9ec04adf138727cd039a9cbe78db6cf2926f6ce92524312a42efd1250100848a919ec4b833f9a013181ce93734575b86eed37f1bf32effa3237eba84db |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\datareporting\session-state.json
| MD5 | 7497ea3f7ec2453adbba4af6e4eaf60a |
| SHA1 | ceeee89795825431d1cf3db9062e8997aabefba7 |
| SHA256 | ee71adae2b451a2a0e59c9f23e4e7d3756c3116203dbfac657d9d88c6fe7cf28 |
| SHA512 | 26ac018211ba6f499b313f1d3273867f224b3187f42953f054a9b637bb07b67245d6418f4da681fb39777a2c005367b2c1a008481910ab2411123afac93ff4a6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 7fba44cb533472c1e260d1f28892d86b |
| SHA1 | 727dce051fc511e000053952d568f77b538107bb |
| SHA256 | 14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf |
| SHA512 | 1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\prefs.js
| MD5 | 4975ad0a555ed22e5ad5aaaaf8100e86 |
| SHA1 | 63ca75b845088fb227cc48f77ef940b3aafa479b |
| SHA256 | 191c36b735e89340fed0439669b8e6ddaaf1b531a08dd1d02245a5c648411c33 |
| SHA512 | 4b529efb5a6f31b8830ee618e8858d94a1d5ed0e1452c49c578685ba7a3ff224752bb728196900a60cf10f0ed63a553a435fa597d22632af2136b1ba281c20a0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\sessionstore.jsonlz4
| MD5 | 4fdb7f9a51ba177262d07d38c0238915 |
| SHA1 | f12c5a74467bf624164ac77ab7af517ce46ace8d |
| SHA256 | a641f5701e0ccb2fc22a9f4323c96d899db4397fc08c63fc5de852d9aadca9d7 |
| SHA512 | fd0e72672b280e9f362cd8ba4a81c795fd741163020cd2c62a104c3f8e006883ac592951db85f364f3fece2d9af386f635b93ced301e12b4418e1e0a7fdd9c09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\profiles.ini
| MD5 | 19379f55161819bd6c3511da08104471 |
| SHA1 | 91e85210a63d53bfc57c9215a3a070a61c0dbbff |
| SHA256 | 535770987c037c0cb13fd1d2477ea5633402a0dfe44c2957d63c83919ceae4c3 |
| SHA512 | 727eb8b7776e98592ec25cb33323416f62391423f58034ffb9d18e7bd31a9be58f30e1321fe753e7eccc18c08791e383e301b893951f178d42bc6dcf0dd00e26 |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\extensions.json.tmp
| MD5 | f8448afe670d34c00541147321c3ef73 |
| SHA1 | 2b6cf01c05fbd72faa06df0f2d95ebe34df9c1e0 |
| SHA256 | 8ddcd30853fab6209c96197d367086d7e088a4576a8a76fc2874e5e5e7034c52 |
| SHA512 | 1fca17d5dc47642d717bbefeee97a9ebd087988258dd24ec054500c2e823a30b1ca7ddaa27d2e3e752d9ded42adce361efc18e466e46e1bfa06c2a0d301f267e |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
| MD5 | 7d1d7e1db5d8d862de24415d9ec9aca4 |
| SHA1 | f4cdc5511c299005e775dc602e611b9c67a97c78 |
| SHA256 | ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda |
| SHA512 | 1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477 |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\containers.json
| MD5 | 94a3843fad8c45c48b0e07342df3dfdc |
| SHA1 | d55b650208bda884d573afebd90830a3f4d7c201 |
| SHA256 | 854ff2076f71097b030c302a1ea71d8e851d2920b9ff5fc8dc8f16c91ba95b72 |
| SHA512 | 4d2a6b2a223ad81bb97195abb27685cf88453caf5769de154b373486d5245f02e0c0f664281d8e3bb33bfcdf1d6f7b3d9602303864d4e56481382adcb0b932db |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\sessionstore-backups\recovery.jsonlz4
| MD5 | 3c59a0de7132364fe7302d4e5ca455d2 |
| SHA1 | d4e9c4249c1fcc015ef2a3b9bf32d74116c641ab |
| SHA256 | 45c5063174858f5a2f833aa497ba6db64099d8d32ec6290f8dae6812cfa1b05e |
| SHA512 | 7061316b3d4b94930f4a6e8f76b5f57f65f4a94e8003d8a8a842f848b1b1b72e5ea7c00a970fb610a9c0b7ceecfb46680238bc2c9bd41c08e55322f5738eb9b0 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-30 10:56
Reported
2023-04-30 10:59
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1288 set thread context of 2156 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps1
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.pl | udp |
| PL | 185.157.81.233:443 | pastebin.pl | tcp |
| US | 8.8.8.8:53 | 233.81.157.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.55.52.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 95.214.24.134:1911 | tcp | |
| US | 8.8.8.8:53 | 134.24.214.95.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 20.42.73.26:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YTOSB.vbs
| MD5 | cf0d0c9a3f216b899b91781a093e829e |
| SHA1 | 606998c5c842f4d86e72819e92ef485a1f24bf2a |
| SHA256 | a12cc767ab92fa1379c213ebc9a637bfbc0c316e654850789a19abc17eb65a75 |
| SHA512 | bd3af39529ea646026716b4d6ed343f98b989beeb0f025e90be54b55050b38744aa9c6a04b061394c3ef2abfce797b943e83ac5a8386888319c03e380f3839f5 |
C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd
| MD5 | 0c4f14db483f17cc1842aa6d7762fe00 |
| SHA1 | 582e6d58bee7b124cd6b0b4d9514f73ce68d374c |
| SHA256 | c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4 |
| SHA512 | d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950 |
C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd
| MD5 | 0c4f14db483f17cc1842aa6d7762fe00 |
| SHA1 | 582e6d58bee7b124cd6b0b4d9514f73ce68d374c |
| SHA256 | c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4 |
| SHA512 | d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950 |
memory/1288-158-0x0000028E4CC10000-0x0000028E4CC32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1yxqcqq.gee.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps1
| MD5 | 5136fb951b17f99d700ee1816764f255 |
| SHA1 | 1ffa5721e100a286752da77bd203ac9d76573eec |
| SHA256 | 4c300f1601a8baa0a9bedf7048f960425ad7e1fe899b0ebded0f5628acdd0743 |
| SHA512 | 29cacc82c91c194a8ca3df15aad8983d57c4bf563b9aec5b74cca0c99c8b42b49ff8ff182c42313ad7aee8d2fe3c2a6819dbcb0bef43eaaa01af53519b986566 |
memory/1288-169-0x0000028E66380000-0x0000028E66390000-memory.dmp
memory/1288-170-0x0000028E66380000-0x0000028E66390000-memory.dmp
memory/2156-173-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/2156-178-0x0000000005640000-0x0000000005650000-memory.dmp
memory/2156-179-0x0000000005970000-0x0000000005A0C000-memory.dmp
memory/2156-180-0x0000000005FC0000-0x0000000006564000-memory.dmp
memory/2156-181-0x0000000005A80000-0x0000000005AE6000-memory.dmp
memory/2156-182-0x0000000005640000-0x0000000005650000-memory.dmp
memory/4444-183-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-184-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-185-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-190-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-195-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-194-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-193-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-192-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-191-0x00000231926D0000-0x00000231926D1000-memory.dmp
memory/4444-189-0x00000231926D0000-0x00000231926D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsServices.lnk
| MD5 | 9a9f52c0ba093377d4a76bfc00589330 |
| SHA1 | aece433ae7c1017b1ec63dc8001d250ae3c50946 |
| SHA256 | bec35cc343049f713992713fc2129c11170d68113e797be34f362855e4e96e3d |
| SHA512 | 46c7ed3e501b285a9719d82c7936b75157560b862f0e7863facbd78316d2650e9723435cdfa342705166b02d7b51f89347c5d06aa2ccf071cc0ef0382912a86f |
C:\Users\Admin\Start Menu\Programs\Startup\YTOSB.vbs
| MD5 | cf0d0c9a3f216b899b91781a093e829e |
| SHA1 | 606998c5c842f4d86e72819e92ef485a1f24bf2a |
| SHA256 | a12cc767ab92fa1379c213ebc9a637bfbc0c316e654850789a19abc17eb65a75 |
| SHA512 | bd3af39529ea646026716b4d6ed343f98b989beeb0f025e90be54b55050b38744aa9c6a04b061394c3ef2abfce797b943e83ac5a8386888319c03e380f3839f5 |